A Closer Look at PKI: Security and Efficiency

Alexandra Boldyreva1 and Marc Fischlin2 and Adriana Palacio3 and Bogdan Warinschi4

1Georgia Institute of Technology, USA. [email protected]

2Darmstadt University of Technology, Germany. [email protected]

3Bowdoin College, USA. [email protected]

4University of Bristol, UK. [email protected]

April 13, 2007

Abstract In this paper we take a closer look at the security and efficiency of public-key encryption and sig- nature schemes in public-key infrastructures (PKI). Unlike traditional analyses which assume an “ideal” implementation of the PKI, we focus on the security of joint constructions that consider the certification authority (CA) and the users, and include a key-registration protocol and the algorithms of an encryption or a signature scheme. We therefore consider significantly broader adversarial capabilities. Our analysis clarifies and validates several crucial aspects such as the amount of trust put in the CA, the necessity and specifics of proofs of possession of secret keys, and the security of the basic primitives in this more complex setting. We also provide constructions for encryption and signature schemes that provably satisfy our strong security definitions and are more efficient than the corresponding traditional constructions that assume a digital certificate issued by the CA must be verified whenever a public key is used. Our results address some important aspects for the design and standardization of PKIs, as targeted for example in the standards project ANSI X9.109.

1 Introduction

Public key cryptography implicitly relies on the existence of a public-key infrastructure (PKI), where each user has a pair of public and secret keys for the cryptosystem, and that this association is publicly available. The designers of public-key cryptosystems always define how the public and the secret keys are generated and used, but almost never carefully specify how the binding between keys and user identities takes place. The tacit assumption is that this binding is established a priori through PKI management operations.

1.1 Motivation The policies and the procedures regarding PKIs are continuously changing and detailed descriptions are invari- ably long and tedious.1 Unfortunately, existing literature still does not answer several important questions.

1See for example the document that describe the current state-of-the-art: ”Internet X.509 Public Key Infrastructure – Cer- tificate Management Protocol (CMP)” [1]. What exactly is the certification authority (CA), the entity that links public keys to identities, trusted not to do? Can and should some degree of security be ensured even when the CA is malicious or becomes com- promised? Proofs of possession (POP) —in which a user proves possession of the secret key when registering a public key with the CA— are a defense mechanism for protecting against rogue-key and key-substitution attacks, but what exactly should they be and, more importantly, are they really necessary? A question that is perhaps even more important is whether provably-secure encryption and signature schemes are indeed secure when used in a particular PKI. Although it is largely believed to be the case, the question is far from moot since most existing schemes are analyzed in settings where compositional aspects are neglected. In particular, the security of the combination of a key-registration protocol with existing encryption or signature schemes does not immediately follow from the security of the individual components. In principle, by cleverly combining its ability to attack the key-registration protocol and its ability to attack the primitive (encryption or signatures), an adversary could mount a successful attack against the joint construction. Limitations of security analyses that do not explicitly include the behavior of the CA or the key-registration protocol have been previously pointed out in other contexts. In the case of key exchange, Shoup [40] suggests that registration of public keys should be considered explicitly as part of the key agreement protocol to be analyzed. Kaliski [26] exemplifies the importance of such measures by presenting unknown key-share attacks on the MQV key exchange protocol [33]. These attacks could have been discovered with a thorough analysis that considers the CA as an active party participating in the protocol. We review further related work at the end in Section 6.

1.2 Contributions In this paper we initiate a study of PKIs with respect to security of the two most important public-key primitives: encryption and digital signature schemes. Our main motivation is to answer the questions raised above and other related issues. Models. Security arguments in the absence of rigorous models do not provide strong security guarantees, and such models are conspicuously absent in the case of PKIs. Our first contribution are rigorous definitions for primitives when used in this setting together with appropriate security notions. The inherent complexity of the PKI settings, the non-typical adversarial powers, and the difficulty of precisely identifying the situations that constitute a security breach make the design of such models an entirely non-trivial task. Since security goals depend on the primitive used, we treat the cases in which keys are used for encryption and for signing separately. Specifically, we define two primitives, called certified encryption and certified signature schemes, and for each primitive we define a notion of security. Besides the standard algorithms for encryption and signing, we model explicitly interactive protocols for registering the public keys with a CA. Consequently, our security notions are against an adversary with broad capabilities that take into account threats arising from the key-registration protocol, possibly run concurrently, the presence of several parties, including the users and the (possibly corrupt) CA. The details are in Sections 2, 3 and 4. Our security definitions are general and powerful. The models we propose directly capture settings where users have multiple public keys, and where keys have additional attributes, such as an expiration date. They easily extend to handle hierarchical certification and certificate revocation. Moreover, while we capture the original goal for which PKI was invented we make flexible assumptions on how certification is achieved. In particular, schemes that aim at achieving certification but avoid the original mechanism of explicit certificates specific to the traditional PKIs (e.g. schemes similar to those in [20, 2]) can still be analyzed in our models. We provide a detailed discussion in Sections 3 and 4. The design of our models in general and that of the security goals in particular are motivated by the “core” properties of the primitives, namely, confidentiality for encryption and integrity and authenticity for signatures. For protocols in which encryption schemes or signatures are used beyond these basic properties, e.g., encryption schemes used as commitments, additional analysis in light of the new goals is required. Yet, our attack model should be easily transferable to those scenarios, and only the security definitions would need to be adapted. Analysis of Traditional Schemes. Next we focus on constructions that satisfy the proposed notions of security. We start with an analysis of “traditional” certified encryption and certified signature schemes. In these constructions, the CA uses a signature scheme to issue digital certificates, and then parties produce

2 ciphertexts (resp., signatures) using a standard encryption (resp., signature) scheme. These schemes are defined in detail in Sections 3 and 4, respectively. Although it seems folklore that the traditional approach is “secure”, to the best of our knowledge no formal validation in a sound model with respect to clearly expressed security goals has been devised prior to our work. We offer a rigorous analysis that shows that these schemes are indeed secure in the appropriate security model we design. Our proof gives concrete security bounds that support recommendations for practical parameter choices. While expected, these results are important to increase confidence in the use of the schemes and allow to make security statements based on solid foundations. Our concrete security results are in Sections 3 and 4. The results that we obtain regarding the design of proofs of possession are less expected, if not surprising. Our investigation shows that formal proofs of knowledge are not necessary for basic security of the certified encryption and signature schemes, and that simpler challenge-response protocols suffice. For signatures, the user simply signs a distinct message2 provided by the CA. Perhaps surprisingly, we show that for basic encryption no proof of possession is required. Intuitively, in the case of encryption, this means that data privacy is not compromised if a user does not have the secret key associated to the public key it registers. We note that these results do not eliminate the proof-of-knowledge requirements imposed on these primitives in other settings (e.g., [4, 10, 9, 23, 31, 35]) and only concern the security of certified encryption and signatures. More efficient constructions. Since our models do not require that solutions use explicit certificates as in the traditional constructions, it is natural to ask if it is possible to obtain improvements over the traditional solutions, e.g., in terms of efficiency. We answer this question affirmatively. We present more efficient constructions for certified encryption and certified signature schemes that use implicit certificates therefore avoiding the explicit verification of the binding between public keys and identities. Our certified encryption scheme uses a variant of ElGamal encryption [18] combined with implicit cer- tificates realized through Schnorr signatures, and is proven secure according to our definition in the random oracle model [6] under the Computational Diffie-Hellman assumption. This scheme is more efficient than the traditional certified encryption scheme where the CA uses Schnorr signatures to issue explicit certificates and users employ ElGamal encryption3. For security parameter k the latter requires 4.75k modular multiplica- tions to encrypt (using the square-and-multiply exponentiation method combined with well-known speed-up techniques for multi-exponentiations) while our scheme only requires 3.25k multiplications, coming thus quite close to the performance of regular ElGamal encryption without certification. For signatures, we propose a construction based on Schnorr signatures [37], provably secure according to our definition in the random oracle model under the Discrete Logarithm assumption. Compared to the traditional approach of using such signatures as explicit certificates, our solution reduces the average number of modular multiplications for verification from 3.5k to 1.875k, and thus achieves almost the same efficiency as regular Schnorr signatures without certification. Notice that the increase in efficiency comes at the expense of a loss in provable security due to looser reductions. It is an open problem to find tighter reductions. We note that in the stateful settings where valid certificates of the other parties are stored permanently, traditional schemes are the expedient choice. For the stateless case, however, our constructions offer compu- tational savings over the traditional approach.

2 Modeling Public-Key Infrastructures

To model public-key infrastructures we assume that there is a designated party, the certification authority (CA), and a set of users. Each user has a unique identity ID ∈ {0, 1}∗ in form of an X.509 entry, an e-mail address or a similar distinguished name. The identity may also contain auxiliary information like an expiration date which refers for example to the contract period of an employee or to the validity period of the certificate.

Certification Authority. The CA holds a public key pkCA and a corresponding secret key skCA. We presume that the public key is authenticated and known to all parties, i.e., once it is published it cannot be changed by the adversary. This is usually accomplished by a hierarchical arrangement of CAs, each intermediate CA certifying the validity of the public key of its successor. Only the key of the root CA has to

2It is necessary to ensure that this message will not be signed by this user later. One way to achieve this, which is also our approach, is to prepend the “challenge” messages chosen by the CA with 0, and the messages the user signs with 1. 3Or a version of ElGamal that is IND-CCA secure in the random oracle model.

3 be authenticated by other means. Here we focus on the the simpler one-tier approach of having only one CA, i.e., our model can be viewed as a condensed hierarchy with our single CA as the root CA. We discuss the more general case of hierarchical CAs in Section 5.2. Registration of Keys. Each user can register keys with the CA by running the registration protocol. The required validation of the user’s identity ID is usually done before by the so-called registration authority (RA), which sometimes coincides with the CA. Checking the identity of the user wishing to register its public key is typically performed by the RA through personal identification and physical validation (e.g., with help of a passport or a driver license). Hence, this part is beyond our computational model and we simply assume that bindings between user identities and their public keys are authentic. We do not assume the existence of private channels. We do, however, presume authenticated channels between the CA and the users, even though the user most likely does not have a certified signature key when the registration starts. Without this minimal assumption about authenticated communication achieving any reasonable security guarantee seems to be impossible. The assumption can be enforced by a variety of means that include for example having the certification authority confirm the registration of a key through regular mail, signed electronic mail (with the signature verification key included in pkCA), legally binding documents, or simply meeting in person. The registration protocol itself is defined very generically. In this process the user derives a public key pk which may be used for encryption or signature verification and a secret key sk for decrypting or signing. We do not specify how the keys are generated (i.e., picked by the user alone or generated jointly between the user and the CA), yet we postulate that the CA should not be able to learn the corresponding secret key of the user. This inevitably requires interaction between both parties. The user also obtains a certificate cert which, classically, is an explicit certificate of type X.509, including the CA’s signature. But since we also use other approaches like implicit certificates cert should be rather thought of as an arbitrary, possibly empty string. We assume, however, that each pair (ID, pk), where pk is registered, is unique; this can be achieved as is done for X.509 certificates by issuing serial numbers or other auxiliary information. Revocation. For simplicity, we do not introduce revocation techniques in our basic model. We further discuss how to augment our definitions and schemes to address revocations in Section 5.3.

3 Secure Encryption in Public-Key Infrastructures

Syntax of Certified Encryption Schemes. A certified encryption scheme is a tuple CS = (EG, K, (C, U), E, D) of probabilistic polynomial-time algorithms: • EG is a randomized parameter-generation algorithm. It takes input 1k, where k is the security parameter, and outputs some global parameters I, available to all parties. For sake of readability we omit I from the input of the parties.

• K is a randomized key-generation algorithm. It takes input I, and outputs a pair (pkCA, skCA) consisting of a public key and a matching secret key. • (C, U) is a pair of interactive randomized algorithms forming the (two-party) public-key registration pro- tocol. C takes input a secret key skCA. U takes input the identity ID of a user and the public key pkCA corresponding to skCA. As result of the interaction, the output of C is (ID, pk, cert), where pk is a public key and cert is an issued certificate. The local output of U is (ID, pk, sk, cert), where sk is a secret key that $ user ID uses to decrypt ciphertexts. We write ((ID, pk, cert), (ID, pk, sk, cert)) ← (C(skCA), U(ID, pkCA)) for the result of this interaction. Either party can quit the execution prematurely, in which case the output of the party is set to ⊥. • E is a randomized encryption algorithm that takes input a user’s identity ID, a public encryption key pk, a certificate cert, the authority’s public key pkCA, and a message M ∈ MsgSp(I), and outputs a ciphertext C ∈ {0, 1}∗ ∪ {⊥}. • D is a deterministic decryption algorithm which takes input a user’s identity ID, a secret decryption key sk, a certificate cert, the authority’s public key pkCA, and a ciphertext C, and outputs M ∈ MsgSp(I) ∪ {⊥}. If M = ⊥ we say that the ciphertext C is invalid (relative to ID, sk, cert, pkCA).

4 The scheme is correct iff for any parameters I, any pkCA, any message M ∈ MsgSp(I), any user ID, and any $ $ ((ID, pk, cert), (ID, pk, sk, cert)) ← (CA(skCA), U(ID, pkCA)), and any C ← E(ID, pk, cert, pkCA,M)], it holds that D(ID, sk, pkCA, cert,C) = M. Remark 1. Our syntax does not explicitly deal with verifying the certificates, even though this may be necessary for security of the scheme. We assume that the constructions include such checks as part of their encryption algorithms. Remark 2. The certificateless encryption schemes of [20, 2] are special cases of certified encryption schemes where the certificate cert is empty. Security of Certified Encryption Schemes. We start with an informal discussion of the more interesting aspects of our model for secure certified encryption, and motivate some of the design choices that we made. We envision a powerful adversary that is allowed to even corrupt the CA (i.e. learn its secret key and act on its behalf). At a superficial glance it may seem that no security requirements would make sense in this case since under these circumstances the adversary could create new keys with valid certificates on behalf of honest users, and then decrypt any ciphertext created with these keys. We wish however to ensure that even if the CA is corrupt, the communication encrypted with keys truly registered by honest users is still protected. At least that requires the CA not to have users’ secret keys. This requirement is somewhat akin to forward security. Without loss of generality, we treat the case when the corruption of the CA is static, i.e., the adversary decides at the beginning of its execution whether to control the CA or not. Indeed, we are able to show that our definition is equivalent (up to a constant factor in the security statement) to the analogous definition where the adversary can corrupt the CA at any point (see Section 5.1). Naturally the fundamental security requirement for certified encryption is privacy of encrypted data. How- ever, as discussed in the introduction, we take into account potential threats arising from the use of the registration protocol. In particular, we require that an adversary cannot pass as genuine (registered) an un- registered key upon an honest user, in a way that allows the adversary to recover messages encrypted with this key. In other words, encryptions with unregistered keys can not be decrypted by the adversary. Our model uses the standard definitional idea of indistinguishabiliy [21] captured via left-right encryption oracles [5]. The left-right encryption oracle is initialized with a secret bit b and encrypts either the left message M0 or the right message M1 of the two messages submitted by the adversary. The oracle is universal in the sense that the adversary can query it about any party ID and for any (not necessarily valid) key/certificate pair pk, cert. We restrict the kind of queries that are allowed in order to exclude trivial attacks. We demand that either (1) user ID is honest and (ID, pk, cert) has been registered before with the CA, or (2) (ID, pk, cert) is not registered but the CA is still honest. The first condition covers the case of “standard” queries for proper keys of honest users, and encompasses the case when the CA might be corrupt. The second restriction prevents the adversary to register a key for some honest user (after corrupting the CA) and to determine the bit b easily. Also, if the CA is corrupt then the adversary can generate a certificate for any user locally, without invoking the registration protocol. This would also allow the adversary to create unregistered keys for which the oracle produces a valid ciphertext and which the adversary can still decrypt. Hence, we only permit queries where the key of the user has not been registered with the honest CA. Finally, we emphasize that in our model we do not assume that the communication between the users and the CA is encrypted, i.e., we assume public channels. We therefore avoid the “chicken-and-egg”-like problem: how to assume secret transmissions if one is still trying to establish a public encryption key through this communication? Definition 3.1 [Security of Certified Encryption Schemes] Let CE = (G, K, (C, U), E, D) be a certified cenc-ind-atk encryption scheme. We associate to scheme CE, an adversary A, and a bit b the experiments ExpCE,A,b (k) for atk ∈ {cpa, cca}. In both experiments A is given as input I ←$ G(1k). The experiment maintains two virtual arrays RegListPub, RegListSec used to store public and secret information pertaining to users (respectively). We note that A knows the elements of RegListPub but not those of RegListSec. Also the adversary has access to all transcripts of the protocols executed during the experiment.

• Corruption of certification authority: First, A decides if to corrupt the CA. If so, A chooses the key pkCA $ of the CA, else pkCA is generated via (pkCA, skCA) ← K(I) and given to A.

5 • Registering keys of users: During the experiment, A can specify a user ID from the set of identities, to initiate a run of the public-key registration protocol with the honest or corrupt certification authority. If this is the first time the user ID is activated then A first decides whether to corrupt this user or not. In the execution with the CA we assume wlog. that at least one party is honest. At the end of the execution, when C outputs values (ID, pk, cert) and U outputs (possibly different) values (ID0, pk0, sk0, cert0), we store (ID0, pk0, cert0) in RegListPub and (ID0, pk0, sk0, cert0) in RegListSec if U is honest, or merely (ID, pk, cert) in RegListPub if only C is honest. If one of the parties is dishonest or stops prematurely then ⊥ is stored in the corresponding array. Notice that all steps in the experiment, including steps of this interactive protocol may be arbitrarily interleaved.

• Encryption queries: A can query UECE(b, pkCA, ·, ·, ·), a universal left-right encryption oracle. It takes as input a tuple (ID, pk, cert) and two messages M0,M1 ∈ MsgSp(I) of equal length and returns a cipher- $ text C ← E(ID, pk, cert, pkCA,Mb). We impose the restriction that user ID is honest and at this point (ID, pk, cert) is listed in RegListPub, or that the certification authority is still honest but (ID, pk, cert) does not appear in RegListPub at this point. cenc-ind-cca • Decryption queries: In experiment ExpCE,A,b (k) the adversary is also given access to a universal decryption oracle UDCE(pkCA, ··· ) which has access to the array RegListSec. The queries to the oracle are tuples (ID, pk, cert,C) where we require that C has not been previously returned by oracle UECE(b, pkCA, ··· ) as answer to some query ((ID, pk, cert),M0,M1). If (ID, pk, sk, cert) occurs in RegListSec the oracle returns D(ID, sk, cert, pkCA,C); otherwise, it returns ?⊥. The adversary eventually stops and outputs a guess bit d which is also considered to be the output of the experiment. For atk ∈ {cpa, cca} the adversary’s advantages in attacking the scheme are defined as follows.

cenc-ind-atk cenc-ind-atk cenc-ind-atk AdvCE,A (k) = Pr[ExpCE,A,1 (k) = 1] − Pr[ExpCE,A,0 (k) = 1] .

CE is said to be IND-CPA (resp. IND-CCA) secure if the corresponding advantage of any poly(k)-time adversary A is negligible.

“Traditional” Certified Encryption Schemes. We confirm that the classical approach of using signature- based certificates for the encryption scheme yields a secure certified encryption scheme. We show this to be the case even when during a public key registration a user does not prove that it knows the corresponding secret key. The schemes that we use in our construction satisfy standard security notions (see the full version Section A for precise definitions of syntax and security). We now give the scheme (Construction 3.2) and state our security result (Theorem 3.3). The proof is in Appendix B.

Construction 3.2 (Traditional Certified Encryption Scheme) Let DS = (SGs, SKs, Ss, Vs) be a digital signature scheme, and AE = (EGe, EKe, Ee, De) be an asymmetric encryption scheme. Define TCE = (EG, K, (C, U), E, D): k $ k $ k • Parameter generation: Algorithm EG(1 ) executes Is ← SGs(1 ), Ie ← EGe(1 ) and outputs I = (Is, Ie). $ • Key generation: Algorithm K generates a key pair (pkCA, skCA) ← SKs(Is). $ • Registration: In order to register a key user, ID first generates a key pair (pk, sk) ← EKe(Ie) and sends $ (ID, pk) to C who computes s ← Ss(skCA, ID||pk) and outputs (ID, pk, s). The user sets cert = s and outputs (ID, pk, sk, cert).

• Encryption: To encrypt a message M under identity ID, public key pk, certificate cert and key pkCA the encryption algorithm E first verifies with Vs that cert is a valid signature for ID||pk under key pkCA. If not $ then return ⊥. Else compute C ← Ee(pk,M) and return C. • Decryption: To decrypt a ciphertext C with (ID, sk, cert) and pkCA run algorithm De(sk,C) and return the answer.

Theorem 3.3 Let DS be a secure signature scheme and let AE be an IND-CPA secure (resp. IND-CCA secure) encryption scheme. Then the certified encryption scheme in Construction 3.2 is IND-CPA secure (resp. IND-CCA secure).

6 More precisely, for adversary A let QR be the maximal number of (initiated) registration executions during cenc-ind-cpa cenc-ind-cpa experiment ExpCE,A,0 (k) or ExpCE,A,1 (k). Then there exists algorithms BDS and BAE such that for atk ∈ {cpa, cca},

Advcenc-ind-atk(k) ≤ Q · Advenc-ind-atk(k) + 2Q · Advuf-cma(k) , CE,A,b R AE,BAE,b R DS,BDS

where BDS and BAE both run in time Time(A)+c log QR for a small constant c, and the advantages describe the success probabilities of BDS and BAE attacking the underlying encryption and signature scheme, respectively (see Appendix A for formal definitions). The proof idea is as follows. We turn a successful adversary A on the certified encryption scheme into an adversary BAE on the underlying encryption scheme. This algorithm BAE tries to guess in advance which of the registered keys adversary A will use to break the security of the certified scheme. This simulation works as long as adversary A does not use an unregistered but valid key, in which case we derive a successful attack on the signature scheme used in the certification procedure. Efficient Certified Encryption Scheme. In the sequel we present our ElGamal-based encryption scheme with implicit certificates. We show that if the computational Diffie-Hellman problem is hard (see Appendix C for a precise statement of this assumption), our scheme guarantees IND-CCA security. At the same time, the efficiency of our scheme is close to that of the basic ElGamal encryption without certificate verifications. The security of the following construction is captured by Theorem 3.5. Its security is also provided in Appendix 3.5. The idea of our scheme is to let the CA issue certificates in forms of Schnorr signatures for identity ID and to use these values for a CCA2-version of the ElGamal encryption. That is, for the CA’s public key z r c pkCA = Z = g the CA hands the user the values R = g and logg RZ for c = H(R, ID). To send the user encrypted messages one uses the value RZc as the public ElGamal key, and the user can decrypt with his c decryption key sk = logg RZ . Below we use a slightly different variant in which the user contributes to the Schnorr signature via a random value S = gs, in order to deny the CA knowledge of the decryption key.

Construction 3.4 [Certified ElGamal Encryption] We construct the certified ElGamal encryption scheme CE = (EG, EK, (C, U), E, D) as follows: • Parameter generation: Algorithm EG on input 1k generates a (description of a) group G of prime order q = q(k), as well as a generator g of this group. Let 2k ≤ q < 2k+1. Algorithm EG also picks (descriptions ∗ ∗ t+k ∗ of) hash functions F = {0, 1} → Zq, G : {0, 1} → {0, 1} , H : {0, 1} → Zq. It returns I = (G, q, g, F, G, H). The associated message space is {0, 1}t. These parameters are given to all parties and algorithms as additional input. $ z • Key generation: Algorithm EK on input I selects z ← Zq and computes Z = g . It returns (pkCA, skCA) = (Z, (Z, z)). • Key registration: The pair (C, U) of interactive algorithms is defined by the following steps. C gets as input $ skCA = (Z, z), while U gets some identity ID and pkCA = Z. The authority C first picks r ← Zq, computes r $ s R = g and and sends R to U. User U chooses s ← Zq, computes S = g and sends (S, ID) back to C. Upon receiving (S, ID) algorithm C sets c = H(R, S, ID) and y = r + cz mod q. Let pk = (R,S) and cert = ε be empty. C returns (R, y) to U and outputs (ID, pk, cert). U verifies that gy = RZc for c = H(R, S, ID), c computes sk = s + y mod q and outputs (ID, pk, sk, cert). Note that sk = logg RSZ . t • Encryption: For input ID, pk = (R,S), cert = ε, pkCA = Z and message M ∈ {0, 1} the encryption algorithm picks α ←$ {0, 1}k, computes a = F (ID, pk, cert, α||M), A = ga and B = G( ID, pk, cert, (RSZc)a ) ⊕ α||M where c = H(R, S, ID). It outputs C = (A, B).

• Decryption: For input ID, sk, cert = ε, pkCA = Z and C = (A, B) the decryption algorithm computes α||M = B ⊕ G(ID, pk, cert,Ask ) and verifies that A = gF (ID,pk,cert,α||M). In this case it returns M, else it returns ⊥.

Theorem 3.5 Suppose that the parameter generator EG in the encryption scheme in Construction 3.4 gener- ates CDH-secure groups, and that F, G, H are modeled as random oracles. Then the scheme CE in Construc- tion 3.4 is IND-CCA secure in the random oracle model.

7 The efficiency of our scheme is comparable to the one of regular ElGamal encryption without certifi- cate verification. With the square-and-multiply exponentiation method, basic ElGamal encryption without certification needs 3k expected multiplications, our scheme based on implicit certificates requires 3.25k mul- tiplications on the average, whereas regular ElGamal encryption with explicit Schnorr signature certificates would require 4.75k expected modular multiplications.

4 Secure Signatures in Public-Key Infrastructures

Syntax of Certified-Signature Schemes. A certified-signature scheme is a tuple CS = (SG, K, (C, U), S, V), where the constituent algorithms run in polynomial time and are defined as follows. • Algorithms SG, K and registration protocol (C, U) are as in the definition of certified encryption schemes (here, SG replaces EG). • S is a (possibly) randomized signing algorithm. It takes input an identity ID, a secret key sk, a certificate ∗ cert, the authority’s public key pkCA and a message M ∈ {0, 1} , and outputs a signature σ. • V is a deterministic verification algorithm. It takes input an identity ID, a public key pk, a certificate cert, a public key pkCA, a message M and a signature σ, and outputs 0 or 1. In the latter case, we say that σ is a valid signature for M relative to (ID, pk, cert, pkCA). We require that for all M ∈ {0, 1}∗ and all users ID, if (pk, sk) is a key pair for user ID with cert, i.e., $ ((ID, pk, cert), (ID, pk, sk, cert)) ← (C(skCA), U(ID, pkCA)) for (pkCA, skCA) generated by K(I) and I output by k G(1 ), then, for verification, V(ID, pk, cert, pkCA,M, S(ID, sk, cert, pkCA,M)) = 1. Security of Certified-Signature Schemes. We consider again a powerful adversary whose capabilities combine the more standard chosen-message attacks with additional capabilities specific to our setting. The adversary attempts a forgery by outputting a user identity, a public key, a message and a signature. Roughly, the adversary wins if the signature is valid with respect to the chosen public key, and either (1) the honest user has registered the public key and has not priorly signed the message, (2) the public key has not been registered, or (3) the same public key has been registered by a different (honest) user. Condition (1) corresponds to the notion of existential unforgeability [22] for standard digital signature schemes, and we require that it holds even if the CA is corrupt. Condition (2) guarantees that signatures for keys that are not bound to identities of the users (i.e., “outside of the PKI”) are not valid. Condition (3) prevents attacks where for example a malicious user claims authorship of a message signed by another user. Definition 4.1 [Security of Certified-Signature Schemes] Let CS = (SG, K, (C, U), S, V) be a certified- signature scheme. We associate to scheme CS, an adversary A, and security parameter k an experiment cs-uf ExpCS,A(k). The experiment maintains arrays RegListPub, RegListSec which are as in the experiments defining security for certified encryption schemes. In the beginning of the experiment, public parameters are generated via I ←$ G(1k) and are given as input to the adversary, and then, A can make the following requests or queries: • Corruption of certification authority: This stage is as in the experiment defining the security of certified encryption. • Registering keys of users: This is handled as in the model for defining security of certified encryption. pkCA • Signature queries: A can make signature requests to a universal signing oracle USCS : on a query (ID, pk, cert,M) the oracle verifies that user ID is honest, and if so it looks up the corresponding entry (ID, pk, sk, cert) in RegListSec and returns to A a signature S(ID, sk, cert, pkCA,M). Otherwise, the an- swer of the oracle is ⊥.

Eventually, A stops and outputs an attempted forgery (ID, pk, cert, M, σ). The experiment returns 1 if V(pkCA, ID, pk, cert, M, σ) = 1 and the following conditions are satisfied (otherwise it returns 0): 1. ID is honest, and no valid signing query (ID, pk, cert0,M) was made for any cert0, or 2. CA is honest and (ID, pk, cert0) 6∈ RegListPub, for any cert0 (i.e. the user ID never registered the key pk), or

8 3. CA is honest and (ID0, pk, cert0) ∈ RegListPub for some honest user ID0 6= ID (i.e. some honest user registered pk), We define the advantage of adversary A as cs-uf h cs-uf i AdvCS,A(k) = Pr ExpCS,A(k) = 1 . cs-uf We say that CS is a secure certified-signature scheme if the function AdvCS,A(·) is negligible for all poly(k)- time adversaries A.

“Traditional” certified signature schemes. Here we analyze the traditional approach to certified signatures, where the public-keys of users are certified by the certification authority using a a digital signature scheme. In turn, users produce signatures by using the secret keys associated with their certificated public- keys. Signature verification consist in verifying the signature of the user and the validity of the certificates for the users’ public-keys. An interesting aspect that we clarify is that proofs of knowledge of the secret key associated to the public key of the user are not necessary to ensure security of the scheme. We show that simply signing a designated message in a proof of possession is sufficient for security. We now give the scheme (Construction 4.2) and state our security result (Theorem 4.3). The proof is inAppendix ??, along with the concrete security result.

Construction 4.2 (Traditional Certified Signature Scheme) Let DS = (SG, SK, S1, V1) be a digital signature scheme4. The first two algorithms of a certified-signature scheme TCS = (G, K, (C, U), S, V) are those of DS, and the rest of polynomial time algorithms are defined as follows. • Parameter and key generation: G ≡ SG, K ≡ SK. • Registration: To register pk, a user ID sends pk to the CA. CA sends to the user a random “challenge” message5 M 0 ←$ {0, 1}k. The user computes σ0 ←$ S(sk, 0||M 0) and sends it to CA. If V(pk, 0||M 0, σ0) = 1 $ then CA computes cert ← S(skCA, (ID, pk)), sends cert to the user and outputs (ID, pk, cert). The user outputs (ID, pk, sk, cert). $ • Signing: S on input (ID, sk, cert, pkCA,M) outputs σ ← S1(sk, 1||M). • Verification: V takes (ID, pk, cert, pkCA, M, σ). It outputs 1 iff V1(pkCA, (ID, pk), cert) = 1 and V1(pk, 1||M, σ) = 1. Theorem 4.3 Let DS = (SG, SK, S, V) be a digital signature scheme. Then if DS is secure (existentially unforgeable under chosen-message attack), then TCS is a secure certified signature scheme.

More precisely, for adversary A let QR be the maximal number of (initiated) registration executions during cs-uf experiment ExpTCS,A(k). Then there exists an algorithm B such that Q Advcs-uf (k) ≤ 3Q · Advuf-cma(k) + R . TCS,A R DS,B 2k where B runs in time Time(A) + c log QR for a small constant c. The proof idea is to transform an attacker against the certified signature scheme into one against the underlying signature scheme (by guessing the right target key in advance). It is not hard to see that each successful attack on the certified scheme (new signatures under keys of honest users, generating an unregistered but valid key, and registering keys of honest users under different names) immediately yields a forgery for the signature scheme. Efficient certified signature schemes. Here we give a construction of an efficient, provably secure certified signature scheme based on Schnorr signatures. Its security, captured by Theorem 4.5, is based on the discrete logarithm assumption (a precise definition is given in Appendix E). The idea is similar to the encryption case, where the CA issued Schnorr signatures to be used as the secret and public ElGamal keys by users, only this time we let the users deploy the key pairs for Schnorr signatures themselves.

4For simplicity we consider a case when the certification authority and a user use a single signature scheme. The definition and other results can be easily modified to accommodate a case when different signatures are used by the parties. 5We need that all challenge messages be different with overwhelming probability. An alternative approach would be to include a current date and time in the challenge message.

9 Construction 4.4 (Schnorr-based Certified Signature Scheme) We define scheme CS = (SG, K, (C, U), S, V) by the algorithms: • Parameter generation: Algorithm SG on input 1k generates a (description of a) group G of prime order q = q(k), as well as a generator g of this group. Let 2k ≤ q < 2k+1. Algorithm SG also picks (descriptions ∗ ∗ of) hash functions G : {0, 1} → Zq, H : {0, 1} → Zq. It returns I = (G, q, g, G, H). These parameters are given to all parties and algorithms as additional input. $ z • Key generation: Algorithm EK on input I selects z ← Zq and computes Z = g . It returns (pkCA, skCA) = (Z, (Z, z)). • Key registration: The pair (C, U) of interactive algorithms is defined by the following steps. C gets as input $ skCA = (Z, z), while U gets some identity ID and pkCA = Z. The authority C first picks r ← Zq, computes r $ s R = g and sends R to U. User U chooses s ← Zq, computes S = g and sends (S, ID) back to C. Upon receiving (S, ID) algorithm C sets c = H(R, S, ID) and y = r + cz mod q. Let pk = (R,S) and cert = ε. C returns (R, y) to U and outputs (ID, pk, cert). U verifies that gy = RZc for c = H(R, S, ID), computes c sk = s + y mod q and outputs (ID, pk, sk, cert). Note that sk = logg RSZ . $ • Signing: For input ID, sk, cert = ε, (R,S), certificate ε and Z the signing algorithm picks a ← Zq and computes A = ga and B = a + sk · G(ID, A, M). The signature is σ = (A, B).

• Verification: For input ID, pk = (R,S), ε, pkCA = Z, a message M and a signature σ = (A, B) the verification algorithm outputs 1 if the equation gB = A(RSZc)d holds, where c = H(R, S, ID) and d = G(ID, A, M). Otherwise it outputs 0.

Theorem 4.5 The certified-signature scheme of Construction 4.4 is secure in the random oracle model if the parameter generation algorithm generates DL-secure groups.

For the above scheme, signing is exactly as in standard Schnorr signature schemes and thus as efficient. Verification of a signature, however, now requires on the average only 1.875k modular multiplications with the square-and-multiply method, as opposed to 3.5k modular multiplications as required to verify two separate Schnorr signatures.

5 Extensions 5.1 Static vs. Adaptive Corruptions For simplicity, we allow only static corruptions of the CA and the users in our models. As we discuss next, allowing adaptive corruptions of the parties (except for adaptive user corruptions for encryption) does not give the adversary much advantage over static corruptions. We first show that adaptive CA corruptions, where the adversary may decide upon corrupting the CA at any point during the execution and, if so, then learns the secret key skCA as well as all internal randomness of the CA, does not enable much more powerful attacks, neither for signatures nor for encryption. That is, we can guess in advance with probability 1/2 whether the adaptive adversary will corrupt the CA during the experiment or not. Depending on this prediction we possibly corrupt the CA at the beginning. Then we let the (corrupt) CA honestly follow its program and if the adversary later decides to corrupt the CA, then we hand over the secret key and the randomness. If our initial guess is wrong we stop with fixed output 0. Then we have reduced static CA corruptions to adaptive ones, and this decreases the advantage only by a factor of 1/2 for both encryption and signatures. As for adaptive user corruptions, in case of encryption users cannot be corrupted adaptively once they have been activated for the first time. This prevents trivial attacks in which the adversary asks the encryption oracle to create a ciphertext for an honest user and registered key, and then corrupts this user adaptively to learn which message has been encrypted and the bit b. Security against such attacks would require sophisticated solutions like non-committing encryption [] and is beyond the scope of this paper. For signatures, users may be corrupted adaptively on the other hand (and this can be combined with adaptive corruptions of the CA). Analogously to the case of CA corruptions it follows that such adaptive user corruptions do not increase the adversary’s power significantly. Namely, if there are at most n active users

10 during an attack then we can guess in advance with probability 1/(n + 1) a single user which remains honest (or if no users stays honest). Then we corrupt all other users and let them follow the prescribed program up to the point where the adaptive adversary asks to corrupt one of them. In this case, we give the adversary the secret keys and the randomness of the corresponding user. If we later find out that our guess has been wrong we stop with output 0. Else, the advantage of the adaptive adversary reduces (by a factor n + 1) to the advantage of breaking the scheme with static user corruptions.

5.2 Hierarchical Certification Another simplification of our model is that we have a flat certification hierarchy, i.e., each user key is only certified by one CA. In reality, the certification process is usually distributed over several CA’s, typically ordered hierarchically in a tree. In such a tree, starting with the root CA, any CA certifies the public keys of its children down to the leave CAs which then certify the user’s keys. Our models can be easily extended to this case, as explained next. We assume that there is a set of CA identities CA ∈ {0, 1}∗ with one distinguished root CA identity rCA ∈ {0, 1}∗. We further suppose that the set of CA identities is disjoint from the set of user identities ID ∈ {0, 1}∗, i.e., the CA keys can only be used for certification tasks. At the beginning of an attack the adversary decides upon corruption of the root CA and a (possibly adversarial) root key pkrCA is published. During the attack the adversary may now also initiate CA registrations between different authorities CA, CA∗, where the common input is a certification path (CA0, pk0, cert0), (CA1, pk1, cert1),..., (CAm, pkm, certm) of CA names and keys, starting with the root authority CA0 = rCA, pk0 = pkrCA, cert0 =  and ending with authority ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ CAm = CA. At the end of this execution CA outputs (CA , pk , cert ) and CA outputs (CA , pk , sk , cert ) (a party can also output ⊥ in case of error). This implies in a straightforward way a list of registered public (and secret) keys RegListPub (and RegListSec) indexed by the certification path. In the case of a flat hierarchy and a single CA the adversary may put any encryption request where the user is honest and the key registered with the CA, or where the CA is still honest but the public key of the user not registered. In the hierarchical setting with root authority rCA this transfers accordingly. Each encryption query now consists of a certification path (CA0, pk0, cert0), (CA1, pk1, cert1),..., (CAm, pkm, certm) of CA names and keys (starting again with the root CA0 = rCA), as well as a user key (ID, pk, cert) and two messages M0,M1. The requirement now is that user ID is still honest and (ID, pk, cert) has been registered with authority CAm, i.e., appears in the array RegListPub indexed by the certification path. Or, there must exist an index i ∈ {0, 1, 2, . . . , m} such that authorities CA0,..., CAi are honest but (CAi+1, pki+1, certi+1) (or (ID, pk, cert) in case i = m) is not listed with authority CAi in the array indexed by the corresponding prefix of the certification path at this point. Decryption queries are now dealt with accordingly. They also take a certification path as input, in addition to (ID, pk, cert,C). If C has never been returned by encryption oracle for a query including (ID, pk, cert), then the decryption oracle looks for an entry in the array RegListSec indexed by the certification path. If such an entry exists then the oracle decrypts the ciphertext, otherwise it returns ⊥. For signature schemes and oracle queries (ID, pk, cert,M), including a certification path, the signature oracle verifies that the user ID is still honest and that (ID, pk, cert) appears in the array index by the path. If so, it looks up the corresponding secret key and signs, else it returns ⊥. The verification algorithm also gets Our definition of a certified signature scheme immediately allows to build such hierarchical certified schemes. Namely. suppose one uses a certified signature scheme according to Definition 4.1 to let CAs issue certificates for keys, and that the validity of each key in the certification path when encrypting or verifying signatures is checked. Then it follows almost identical to the proofs of Theorems 3.3 and 4.3 that this yields a secure certified encryption or signature scheme in the hierarchical setting.

5.3 Integrating Revocation Augmenting our security definitions for encryption and signatures by explicit revocation in forms of certificate revocation lists (CRLs) or through the online certificate status protocol (OCSP) is straightforward. Namely, let the adversary also allow to ask for revocation of certificates during the experiment. For such a query the key (ID, pk, cert) is marked as revoked and, from this point on, may not be used in subsequent encryption or signature queries. Note that this only limits the adversary’s power.

11 Implicit revocation can be added to our definitions by considering extended identities ID = ID0||hii with augmented time periods i and by attaching round scheduling in a straightforward way. A user can then refresh his or her certificate for the next time period i + 1 by simply running the registration protocol with the CA and identity ID = ID0||hi + 1i. The CA can keep state such that it can differentiate between new registrations and refreshes. By this, we easily capture implicit revocation methods like Micali’s hash chains or identity-based schemes. The specifications for successful attacks in both cases remain unchanged, although further restrictions can be incorporated, e.g., that the adversary must corrupt users with identities ID0||hji if it already controls the user ID0||hii for a previous period i < j, or that only encryption and signature queries for the current time period are allowed. Modifying our schemes to work with Micali’s hash chains, for example, is straightforward.

6 Related Work

Here we review several PKI-related works in the literature and put our results in the context [20, 2, 14, 15, 27, 28, 40, 26, 33, 29, 39, 16, 7, 17, 41, 42, 24, 30]. Gentry [20], Al-Riyami and Paterson [2] and subsequent works [29, 39, 16, 7, 17, 3, 41, 42, 24, 30] recently proposed public-key encryption schemes that do not assume a standard PKI. Similarly to our efficient scheme, certificates are implicit, that is, a sender does not have to verify the certificate before sending an encrypted message, yet only the user who properly registered its public key is able to decrypt. The goals of their schemes and ours, however, differ. The motivation for the works of [20, 2, 29, 39, 16, 7, 17, 41, 42, 24, 30] is to overcome the main weakness of identity-based encryption (IBE) [38, 11], namely, the requirement that the trusted party called a private key generator (PKG) knows the secret keys of the users, while preserving the advantage of IBE of simplified management of expired and revoked public keys. Gentry also eliminates the requirement of a secure channel between a user and the PKG. On the other hand, the goal of our scheme is to achieve an efficiency improvement over “traditional” discrete-logarithm-based certified encryption schemes and, similar, for certified signature schemes. While our schemes require the key management support of a traditional PKI, they come with computational savings. Security of implicit certificates in the context of digital signatures had been priorly investigated by Brown, Gallant, and Vanstone [12]. Their security model is only concerned with the certification process and does not consider the usage of the resulting keys. However, for the particular application analyzed in the paper, the resulting security model (which is strictly weaker and less general than the one we introduce here) appears to suffice. Canetti [14] recently presented a universally composable certification protocol, that uses traditional signature- based certificates. And while universal composition provides very strong security guarantees, his approach falls again short of investigating the combined certification and encryption or signature process, neither does his model take CA corruptions and the broader adversarial capabilities into account. In contrast to our more efficient solutions based on implicit certificates, alternatives to the traditional approach are not discussed in [14]. Stronger security requirements on signatures are imposed by the model suggested by Menezes and Smart [34] for the use of signatures in the “multi-user setting”. Condition (3) of our definition of security for signature schemes is reminiscent of their security requirement. However, the framework proposed in [34] does not explicitly consider the registration protocol. Since our basic model is concerned with security under one-level of certification, some of the issues specific to hierarchical PKIs do not show up explicitly. When tackling such settings (which naturally arise in practice, e.g. when using PGP [43]), special attention needs to be payed to the trust that parties put in certificate chains, given that one or several of the CAs could have been corrupted. Prior research that could prove useful in extending our framework to these settings include various models for trust in key authenticity [32, 13, 25], quantitative trust evaluation [8], as well as various defenses against multiple CA corruption (e.g. multi- certificate chains [36]). Our efficient certified encryption scheme resembles the PKI-enabled CA-Oblivious encryption scheme inde- pendently proposed by Castelluccia et al. in their recent work [15] as a building block for a secret handshake protocol. The authors analyze their schemes with respect to a significantly weaker security notion, namely one-wayness. Moreover, in their scheme the CA knows the secret keys of the users and is trusted to behave

12 honestly. In their model, it is also assumed that the CA is trusted not to use the knowledge of the secret keys. Moreover, no standard outsider attacks are considered, that is a scheme where an adversary can decrypt messages addressed to the registered users can be proven secure! The authors prove that their scheme satisfies their security notion in the RO model. The authors suggest how to modify the scheme to allow the CA to be less trusted, but the security of the resulting scheme is unclear. It is also suggested in [15] that the scheme can be made IND-CCA secure using the Fujisaki-Okamoto transform [19]. We note, however, that it is not immediate without a new proof that this would work, since the Fujisaki-Okamoto transform can be provably applied to basic encryption schemes that assume a standard PKI with explicit certificates. The primitive of [15] is different; it employs implicit certificates. Therefore, a new security definition and a proof will be necessary to validate this suggestion. On the other hand, our scheme provably satisfies a very strong security definition discussed above, where the CA is only trusted not to register new keys for users without their permission. Our results also show that the Fujisaki-Okamoto transform is not needed as our scheme is very simple and yet IND-CCA secure. Our efficient certified signature scheme resembles the proxy signature scheme of Kim, Park and Won [27] and the self-certified signature scheme of Lee and Kim [28]. Unlike our scheme, the proxy signature scheme assumes a PKI where each user already holds a public key and a digital certificate. Neither of these papers provides formal security definitions and analyses. A modification of the proxy signature scheme of [27] has been proven secure in [10], but their proof is for a primitive that differs from ours in that it assumes a PKI, explicit certificates, and involves a different security notion.

7 Acknowledgments

Part of the work was done while the authors were at UCSD. We thank Martin Abadi, Mihir Bellare and Burt Kaliski for useful discussions, and the anonymous reviewers for their comments. Alexandra Boldyreva is supported in part by NSF CAREER award 0545659. Marc Fischlin is supported by the Emmy Noether Program Fi 940/2-1 of the German Research Foundation (DFG). Bogdan Warinschi is supported in part by the ACI Jeunes Chercheurs JC 9005.

References

[1] C. Adams and S. Farrell. Internet x.509 public key infrastructure: Certificate management protocols. Work in progress, 2004. [2] S. Al-Riyami and K. G. Paterson. Certificateless public key cryptography. In ASIACRYPT, volume 2894 of LNCS, pages 452–473. Springer-Verlag, 2003. [3] J. Baek, R. Safavi-Naini, and W. Susilo. Certificateless public key encryption without pairing. In Information Security (ISC), volume 3650 of LNCS, pages 134–148. Springer-Verlag, 2005. [4] M. Bellare, A. Boldyreva, and J. Staddon. Multi-recipient encryption schemes: Security notions and randomness re-use. In Public-Key Cryptography (PKC), volume 2567. Springer-Verlag, 2003. [5] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment of symmetric encryption. In FOCS ’97: Proceedings of the 38th Annual Symposium on Foundations of Computer Science (FOCS ’97). IEEE Computer Society, 1997. [6] M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In Conference on Computer and Communications Security (CCS). ACM, 1993. [7] K. Bentahar, P. Farshim, J. Malone-Lee, and N.P. Smart. Generic constructions of identity-based and certificateless kems. Cryptology ePrint Archive, Report 2005/058., 2005. [8] T. Beth, M. Borcherding, and B. Klein. Valuation of trust in open networks. In Computer Security—ESORICS 94, pages 3–18. Springer-Verlag, 1994. [9] A. Boldyreva. Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-group signature scheme. In Public Key Cryptography (PKC) ’03, pages 31–46, 2003. [10] A. Boldyreva, A. Palacio, and B. Warinschi. Secure proxy signaure schemes for delegation of signing rights. Cryptology ePrint Archive, Report 2003/096., 2003.

13 [11] D. Boneh and M. Franklin. Identity-based encryption from the Weil pairing. In CRYPTO, volume 2139 of LNCS. Springer-Verlag, 2001. [12] D.R. L. Brown, R. P. Gallant, and S. A. Vanstone. Provably secure implicit certificate schemes. In Conference on Financial Cryptography ’01, pages 156–165. Springer-Verlag, 2002. [13] M. Burmester, Y. Desmedt, and G. Kabatianskii. Trust and security: A new look at the Byzantine generals problem. In R. N. Wright and P. G. Neumann, editors, Network Threats, DIMACS, Series in Discrete Mathematics and Theoretical Computer Science, 1996, vol. 38. AMS, 1998. [14] R. Canetti. Universally composable signature, certification, and authentication. In CSFW. IEEE Computer Society, 2004. [15] C. Castelluccia, S. Jarecki, and G. Tsudik. Secret handshakes from CA-oblivious encryption. In ASIACRYPT, volume 3329 of LNCS, pages 293–307. Springer-Verlag, 2004. [16] Z. Cheng and R. Comley. Efficient certificateless public key encryption. Cryptology ePrint Archive, Report 2005/012., 2005. [17] A. W. Dent and C. Kudla. On proofs of security for certificateless cryptosystems. Cryptology ePrint Archive, Report 2005/348., 2005. [18] T. ElGamal. A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, Vol. 31, 1985. [19] E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In CRYPTO, volume 1666 of LNCS, pages 537–554, 1999. [20] C. Gentry. Certificate-based encryption and the certificate revocation problem. In EUROCRYPT, volume 2656 of LNCS, pages 272–293. Springer-Verlag, 2003. [21] S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Science, 1984. [22] S. Goldwasser, S. Micali, and R. L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing, 17(2):281–308, April 1988. [23] J. Herzog, M. Liskov, and S. Micali. Plaintext awareness via key registration. In CRYPTO, volume 2729. Springer- Verlag, 2003. [24] B. Hu, D. Wong, Z. Zhang, and X. Deng. Key replacement attack against a generic construction of certificateless signature. In ACISP, volume 4058 of LNCS, pages 235–246. Springer-Verlag, 2006. [25] A. Josang. Trust-based decision making for electronic transactions. In Fourth Nordic Workshop on Secure IT Systems (NORDSEC’99), pages 99–105, 1999. [26] B. Kaliski. An unknown key-share attack on the mqv key agreement protocol. ACM Transactions on Information and System Security (TISSEC), 4(3):275–288, 2001. [27] S. Kim, S. Park, and D. Won. Proxy signatures, revisited. In ICICS. Springer-Verlag, 1997. [28] B. Lee and K. Kim. Self-certified signatures. In Indocrypt, volume 2551 of LNCS. Springer-Verlag, 2002. [29] Y.-R. Lee and H.-S. Lee. An authenticated certificateless public key encryption scheme. Cryptology ePrint Archive, Report 2004/150., 2004. [30] B. Libert and J.-J. Quisquater. On Constructing Certificateless Cryptosystems from Identity Based Encryption. In Public Key Cryptography (PKC), LNCS. Springer-Verlag, 2006. [31] A. Lysyanskaya, R. L. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. In Selected Areas in Cryptography (SAC), pages 184–199. Springer-Verlag, 1999. [32] U. Maurer. Modeling public-key infrastructure. In Computer Security—ESORICS 96, pages 325–350. Springer- Verlag, 1996. [33] A. Menezes, M. Qu, and S. A. Vanstone. Some new key agreement protocols providing mutual implicit authenti- cation. In Selected Areas in Cryptography (SAC), 1995. [34] A. Menezes and N. Smart. Security of signature schemes in a multi-user setting. Designs, Codes and Cryptography, 33:261–274, 2004. [35] S. Micali, K. Ohta, and L. Reyzin. Accountable-subgroup multisignatures. In Conference on Computer and Communications Security (CCS), pages 245–254. ACM, 2001. [36] M. K. Reiter and S. G. Stubblebine. Path independence for authentication in large scale systems. In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 57–66, 1997.

14 [37] C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991. [38] A. Shamir. Identity-based cryptosystems and signature schemes. In CRYPTO. Springer-Verlag, 1984. [39] Y. Shi and J. Li. Provable efficient certificateless public key encryption. Cryptology ePrint Archive, Report 2005/287., 2005. [40] V. Shoup. On formal models for secure key exchange. IBM Research Report RZ 3120, 1999. [41] D. H. Yum and P. J. Lee. Generic construction of certificateless encryption. In EuroPKI, volume 3043 of LNCS, pages 802–811. Springer-Verlag, 2004. [42] D. H. Yum and P. J. Lee. Generic construction of certificateless signature. In ACISP, volume 3108 of LNCS, pages 200–211. Springer-Verlag, 2004. [43] P. R. Zimmermann. The Official PGP User’s Guide. MIT Press, Cambridge, Massachussets, 1995.

Appendix A Standard definitions A.1 Asymmetric Encryption Schemes and their Security

Syntax. An asymmetric encryption scheme AE = (EG, EK, E, D) is specified by four polynomial-time algo- rithms with the following functionalities. The randomized parameter-generation algorithm EG takes input 1k, where k is the security parameter, and outputs some global parameters I. These may contain, for exam- ple, another security parameter, the description of a cyclic group and a generator, and the description of a hash function. We assume that these parameters become publicly available. The randomized key-generation algorithm EK takes input global parameters I and outputs a pair (pk, sk) consisting of a public key and a matching secret key, respectively. The randomized encryption algorithm E takes input a public key pk and a message M, and outputs a ciphertext C. The deterministic decryption algorithm D takes input a secret key sk and a ciphertext C, and outputs a message M or a special symbol ⊥ to indicate that the ciphertext is invalid. Associated to I is a message space MsgSp(I) from which M is allowed to be drawn. For any I that can be output by EG(1k), any pair of keys (pk, sk) that can be output by SK(I) and any M ∈ MsgSp(I), it is required that D(sk, E(pk,M)) = M.

Definition A.1 [Security of an asymmetric encryption scheme] Let AE = (EG, EK, E, D) be an asym- enc-ind-cpa enc-ind-cca metric encryption scheme. Consider experiments ExpAE,A,b (k), ExpAE,A,b (k) associated to AE, a bit b ∈ {0, 1} and an adversary A. In both experiments A is given input a public key I, pk and access to a left-right $ k $ encryption oracle UEAE(pk, b, ·, ·), where pk and sk are matching keys generated via I ← EG(1 );(pk, sk) ← EK(I). The oracle takes input two messages M0,M1 ∈ MsgSp(I) of equal length and returns a ciphertext $ enc-ind-cca C ← E(pk,Mb). In experiment ExpAE,A,b (k) the adversary is also given input a decryption oracle D(sk, ·). A queries the oracle(s) on inputs of its choice, with a restriction of not querying its decryption oracle on ci- phertexts previously returned by the left-right encryption oracle. A eventually stops and outputs a guess d which is also the output of the experiment. The adversary’s advantages in attacking the scheme are defined as follows. For atk ∈ {cpa, cca}

enc-ind-atk enc-ind-atk enc-ind-atk AdvAE,A (k) = Pr[ExpAE,A,1 (k) = 1] − Pr[ExpAE,A,0 (k) = 1] .

AE is said to be IND-CPA (resp. IND-CCA) secure if the corresponding advantage of any poly(k)-time adversary A is negligible in the security parameter k.

We adopt the convention that the time complexity of adversary A is the execution time of the entire experiment, including the time taken for key generation, and computation of answers to oracle queries. The same convention will be used implicitly in other definitions of the paper.

15 A.2 Digital Signature Schemes and their Security

Syntax. A digital signature scheme DS = (SG, SK, S, V) is specified by four polynomial-time algorithms with the following functionalities. The randomized parameter-generation algorithm SG takes input 1k, where k is the security parameter, and outputs some global parameters I. The randomized key-generation algorithm SK takes input global parameters I and outputs a pair (pk, sk) consisting of a public key and a matching secret key, respectively. The (possibly) randomized signing algorithm S takes input a secret key sk and a message M ∈ {0, 1}∗, and outputs a signature σ. The deterministic verification algorithm V takes input a public key pk, a message M and a candidate signature σ for M, and outputs a bit. We say that σ is a valid signature for M relative to pk if V(pk, M, σ) = 1. For any pair of keys (pk, sk) that can be output by SK and any M ∈ {0, 1}∗, it is required that V(pk,M, S(sk,M)) = 1.

Definition A.2 [Security of a digital signature scheme] Let DS = (SG, SK, S, V) be a digital signature scheme. Consider an adversary A that is given input a public key pk and access to a signing oracle USS (sk, ·), where pk and sk are matching keys generated via I ←$ SG(1k);(pk, sk) ←$ SK(I). The oracle takes input a message M and returns a signature σ ←$ S(sk,M). A queries this oracle on messages of its choice, and ds-uf eventually outputs a forgery (M, σ). The adversary’s advantage AdvDS,A(k) in attacking the scheme is the probability that it outputs a pair (M, σ) such that σ is a valid signature for message M and this message was not queried to the signing oracle. DS is said to be secure against existential forgery under adaptive chosen- message attacks (or, simply, secure) if the advantage of any poly(k)-time adversary A is negligible in the security parameter k.

B Proof of Theorem 3.3

Recall that our goal is to show that the traditional approach of using signature-based certificates provides a secure certified encryption scheme. In terms of concrete security —from which the theorem follows— we show that for every adversary A there exists adversaries BDS and BAE such that for atk ∈ {cpa, cca},

Advcenc-ind-atk(k) ≤ Q · Advenc-ind-atk(k) + 2Q · Advuf-cma(k) , TCE,A,b R AE,BAE,b R BDS,DS

cenc-ind-cpa where QR be the maximal number of (initiated) registration executions during experiment ExpTCE,A,0 (k) cenc-ind-cpa or ExpTCE,A,1 (k) and BDS and BAE both run in time Time(A) + c log QR for a small constant c. Proof:

For the proof define the following attack of algorithm BAE on the underlying encryption scheme AE. BAE is given Ie and pk as input and is also given access to a left-right encryption oracle for key pk (and possibly a enc-ind-cpa enc-ind-cca decryption oracle), i.e.,BAE runs experiment ExpTCE,A,b (k) (or ExpTCE,A,b (k)) for unknown bit b.

Algorithm BAE initially picks an integer i between 1 and QR. Then it simulates an attack of A on the certified cenc-ind-atk scheme by providing the same interaction for A as in experiment ExpTCE,A,b (k). The only exceptions lie in the i-th registration step for an honest user and in the way encryption (and decryption) queries are answered. Specifically, if the i-th registration protocol with an honest user ID is initiated then BAE sends the given pk on behalf of that user (and possibly obtains a signature cert for ID||pk; if so, then (ID, pk, cert) is also listed in RegListPub). Call (ID, pk, cert) the target. Answer encryption queries (ID`, pk`, cert`,M0,`,M1,`) as follows:

• If (ID`, pk`, cert`) equals the target then BAE passes (M0,`,M1,`) to its encryption oracle and returns the answer to A.

• If (ID`, pk`, cert`) is different from the target but does not appear in RegListPub (and the CA is honest) then, if cert is a valid signature abort with output 0, else return ⊥ and continue.

• Else, if (ID`, pk`, cert`) is different from the target and appears in RegListPub because of the j-th regis- $ $ tration with an honest user, BAE computes C ← Ee(pk`,M1,`) if j < i and C ← Ee(pk`,M0,`) if j > i. Return C.

16 If atk = cca then decryption queries are treated as in the original experiment, only that queries involving the target (ID, pk, cert) are relayed between A and BAE’s decryption oracle. If adversary A finally stops with output g then BAE copies this output and stops as well. Note that Expenc-ind-atk(k) describes the output of the simulation above, given B ’s left-right oracle always AE,BAE,b AE encrypts message Mb when queried. Define UnregKeyb to be the event that, during the simulation, the adver- sary submits a query (ID, pk, cert,M0,M1) to the universal encryption oracle such that the tuple (ID, pk, cert) does not appear in RegListPub at the time of submission, that the CA is honest and that the oracle returns a ciphertext C 6= ⊥. A standard hybrid argument, conditioning on events UnregKey0, UnregKey1, then shows 1 Advcenc-ind-atk(k) ≥ · Advcenc-ind-atk(k) − 2 · max {Pr [ UnregKey ] , Pr [ UnregKey ]} . AE,BAE TCE,A 0 1 QR

Furthermore, it can be easily seen that the probability of event UnregKeyb (for arbitrary but fixed b) is bounded by the success probability of forging signatures:

Pr [ UnregKey ] ≤ Advuf-cma(k) , b BDS,DS

for an adversary BDS running in time Time(A) + c log QR.

C CDH-secure Groups and Proof of Theorem 3.5

In this section we prove security of the efficient certified encryption scheme under the DH assumption: Diffie Hellman Groups. We say that the parameter generator EG in Construction 3.4 generates CDH- secure groups if for any adversary A running in expected polynomial time, the following is negligible in k:

DH h $ k $ a b ab i AdvEG,A(k) = Pr (G, q, g, F, G, H) ← EG(1 ); a, b ← Zq : A(G, q, g, g , g ) = g .

Proof of Theorem 3.5. Let QUE , QD, QF , QG, QH and QR be the maximum number of queries an cenc-ind-cpa cenc-ind-cpa adversary A makes in experiment ExpCE,A,0 (k) or ExpCE,A,1 (k) to oracles UE and UD, and F , G and H as well as the maximum number of (initiated) executions of the registration protocol. Then we show that there exist algorithms DHreg, DHunreg such that

2Q (Q + Q + Q ) Advcenc-ind-cca(k) ≤ UE G UE D CE,A 2k  2  DH (QH + QR)QR 2(QF + QUE + QD) QD + 2 · QUE QG · Adv (k) + + + EG,DHreg 2k 2k 2k  2(Q + Q )Q + 1 4(Q + Q + Q )2 2Q 1/3 + 2 · 4Q2 · AdvDH (k) + H R R + F UE D + D , G EG,DHunreg 2k 2k 2k

3 where DHreg, DHunreg run in expected time at most 2·Time(A)+2ctk ·(QF log QF +QG log QG +QH log QH ), for a small constant c. The statement of the theorem follows. We start with a proof for the simpler case that the adversary does not put any decryption requests and merely mounts a chosen-plaintext attack. We afterwards discuss how to treat decryption queries. Another simplification, which is due to the fact that the adversary does not ask for decryptions, is that the function F now becomes obsolete. We thus first look at the case that the encryption algorithm, instead of computing $ a ← F (ID, pk, cert, α||M) and encrypting α||M, now chooses a ← Zq at random and merely encrypts M. For this IND-CPA attack recall that the adversary is given access to a left-right oracle UE which always encrypts either the message Mb = M0 or the message Mb = M1 with each submission (given that the query is valid), cenc-ind-cpa cenc-ind-cpa and that this is the only difference between experiments ExpCE,A,0 (k) and ExpCE,A,1 (k). cenc-ind-cpa We introduce the following notation for the encryption queries in experiment ExpCE,A,b (k). Let IDi, pki = (Ri,Si), certi, M0,i,M1,i be the i-th query of A to oracle UE. If this query is valid and the oracle

17 ai ci ai chooses ai and encrypts Mb,i as (g ,G(IDi, pki, certi,Ti) ⊕ Mb,i) for Ti = (RiSiZ ) and ci = H(IDi,Ri,Si), then we call (IDi, pki, certi,Ti), or sometimes simply Ti, the i-th target. We say that the adversary asks (or queries) about the i-th target if it submits this target to oracle G during the attack. Let TargetQueryb(i) be cenc-ind-cpa the event that the adversary first asks about the i-th target during the experiment ExpCE,A,b (k) before asking about any other target. Let TargetQueryb ≡ ∃i ∈ {1, 2,...,QUE } : TargetQueryb(i). Then, cenc-ind-cpa cenc-ind-cpa cenc-ind-cpa AdvCE,A (k) = Pr[ExpCE,A,1 (k) = 1] − Pr[ExpCE,A,0 (k) = 1] cenc-ind-cpa ≤ Pr[ExpCE,A,1 (k) = 1|¬TargetQuery1] · Pr[¬TargetQuery1] cenc-ind-cpa − Pr[ExpCE,A,0 (k) = 1|¬TargetQuery0] · Pr[¬TargetQuery0]

+ Pr[TargetQuery1] .

Given that the adversary never asks about the targets in the experiment, the values G(IDi, pki, certi,Ti) ⊕ Mb,i are all random and independent of b. Hence, cenc-ind-cpa cenc-ind-cpa Pr[ExpCE,A,1 (k) = 1|¬TargetQuery1] = Pr[ExpCE,A,0 (k) = 1|¬TargetQuery0] and cenc-ind-cpa AdvCE,A (k) cenc-ind-cpa ≤ Pr[ExpCE,A,1 (k) = 1|¬TargetQuery1] · (Pr[¬TargetQuery1] − Pr[¬TargetQuery0])

+ Pr[TargetQuery1]

≤ Pr[TargetQuery0] + Pr[TargetQuery1] ≤ 2 · max {Pr[TargetQuery0], Pr[TargetQuery1]} .

Hence, it suffices to bound the probability of event TargetQueryb for an arbitrary b. Fix b ∈ {0, 1}. For any i pre and event TargetQueryb(i) we distinguish between event TargetQueryb (i), that the adversary asks about the post i-th target before receiving the answer from UE for the i-th query, and TargetQueryb (i), that A submits Ti to G after having receiving UE’s reply to the i-th query (both events also presume that none of the other targets is asked to G before). Then for

pre pre post pre TargetQueryb ≡ ∃i : TargetQueryb (i) and TargetQueryb ≡ ∃i : TargetQueryb (i) we conclude:

pre post Pr[TargetQueryb] ≤ Pr[TargetQueryb ] + Pr[TargetQueryb ] (Q + Q )Q ≤ G UE UE + Pr[TargetQuerypost], 2k b because each of the at most QUE targets is a random group element (over the choice of a) and the probability that any of the at most QG + QUE previous queries to G (including the implicit ones in calls to QUE ) matches this group element is at most 1/q ≤ 2−k. post post To limit the probability Pr[TargetQueryb ] we further divide TargetQueryb (i) according to event RegKeyb(i) (and event UnregKeyb(i)) that the key (IDi, pki, certi) in A’s i-th query to UE appears in the list RegListPub of registered keys at this point (or is unregistered and does not appear there). Then,

post post Pr[TargetQueryb ] ≤ Pr[∃i : TargetQueryb (i) ∧ RegKeyb(i)] post + Pr[∃i : TargetQueryb (i) ∧ UnregKeyb(i)] . post We first bound the probability Pr[∃i : TargetQueryb (i) ∧ RegKeyb(i)]. For this we define an algorithm a b ab DHreg which gets input (G, q, g, g , g ) and is supposed to output g . To do so, DHreg runs a simulation of A:

• DHreg first picks indices i, j at random between 1 and the number QUE of queries to UE, respectively, the number QG of queries to oracle G. Algorithm DHreg stops (unless it has stopped before) as soon as A makes the j-th query (ID`, pk`, cert`,X) to oracle G. In this case, if (ID`, pk`, cert`) appears in list 1/(uiv ) RegListPub, then DHreg takes the associated values ui, v` (as defined below) and outputs Y = X ` .

18 • In the beginning DHreg sets I = (G, q, g, G, H) where oracles G, H are specified below. DHreg starts cenc-ind-cpa to simulate an attack of A in experiment ExpCE,A,b (k) by impersonating the honest parties, i.e., DHreg follows the prescribed program for every honest party (except for registration of honest users, see below) whereas corrupt parties are controlled by the adversary.

• DHreg provides simulated oracles G, H by maintaining lists LG and LH of pairs (x, y). Each time a query x to either oracle is made then DHreg browses through the corresponding list and searches for an entry (x, y). If such an entry exists then DHreg returns y on behalf of the oracle. If no such entry exists t then DHreg picks y at random (from {0, 1} or Zq), stores (x, y) in the list and returns y. In addition, DHreg can also set values in each list by appending (x, y). If the list becomes inconsistent, i.e., there are 0 0 entries (x, y), (x, y ) for y 6= y , then DHreg stops with output ⊥.

• Each time the adversary instructs an honest user ID` to register, DHreg first waits to receive a value R` of the certification authority (possibly generated by DHreg itself if CA is honest). On behalf of the user $ $ ∗ b v` c` −1 b DHreg selects c` ← Zq, v` ← Zq and replies with S` = (g ) (R`Z ) for the given g . DHreg stores the values (ID`, (R`,S`), cert`, v`) in a list —we say v` is associated to (ID`, (R`,S`), cert`)— and also sets ((R`,S`, ID`), c`) in list LH . Complete the protocol as the honest user would. Note that corruptions are static, so the user remains honest during this execution.

• For the `-th call (ID`, pk`, cert`,M0,`,M1,`) to oracle UE algorithm DHreg rejects invalid queries and $ $ ∗ t a u` a otherwise picks u` ← Zq , $` ← {0, 1} at random and returns C = ((g ) , $`) for the given g . We call u` associated to the the `-th query.

For the analysis note that DHreg stops prematurely because of an inconsistent H-list with probability at most k (QH + QR)QR/2 , because each of the QR registration steps generates the any of the previous QH + QR queries with probability at most 1/q, taking into account the QR implicit H-queries in registration steps. Also, up to the point where A puts the first target query (if at all) the views of the adversary in experiment cenc-ind-cpa ExpCE,A,b (k) and in this simulation are identical. Hence, if there is indeed a target query, then j predicts the target query number correctly with probability at least 1/QG. In addition, the guess i and thus the associated value ui for the interaction with UE resulting in the first target query is correct with probability at least 1/QUE . Now, if A successfully puts a target query and this query is for a previously registered key (ID`, pk`, cert`) of an honest user, then there exists an associated value v` and DHreg outputs

1/(uiv`) c` aui/(uiv`) bv` a/v` ab Y = X = (R`S`Z ) = (g ) = g .

Hence, this happens with probability at most

post DH (QH + QR)QR Pr[∃i : TargetQuery (i) ∧ RegKey (i)] ≤ QUE QG · Adv (k) + . b b EG,DHreg 2k

post Finally, we bound the probability  := Pr[∃i : TargetQueryb (i) ∧ UnregKeyb(i)]. This is again established in terms of success probability solving the DH problem. However, this time we use an algorithm DHunreg, which also gets (G, q, g, ga, gb) as input, but uses rewinding techniques for the simulation of A:

• DHunreg initially picks index j at random between 1 and the number QG of queries to oracle G. DHunreg cenc-ind-cpa starts to simulate an attack of A in experiment ExpCE,A,b (k). In particular, if the adversary asks to corrupt the CA then DHunreg immediately stops (recall that we are interested in UnregKeyb target b queries for which the CA remains honest). For an honest authority DHunreg sets pkCA = Z = g for the b given g . DHunreg also provides simulated oracles G, H by maintaining two lists LG and LH as DHreg.

$ • Each time the adversary instructs an honest or corrupt user ID to register, DHunreg first picks r, c ← Zq r −c and computes R = g Z . We call the value c pending for this registration. DHunreg sends R on behalf of the CA to the user and waits to retrieve S. Then it sets the oracle value H(R, S, ID) to be the pending value c and replies in the name of the CA with y = r.

19 • For each query (ID`, pk`, cert`,M0,`,M1,`) with pk` = (R`,S`) to oracle UE, algorithm DHunreg first $ ∗ checks the validity of the request. If the query is invalid then return ⊥. Else pick u` ← Zq and $ t a u` a $ ← {0, 1} at random and return C = ((g ) , $) for the given g . Call u` associated to (ID`, pk`, cert`). • If the adversary puts the j-th query (ID, (R,S), cert,X) to oracle G (and (ID, (R,S), cert) has not been registered yet) then record X and rewind the simulation to the point, where A has queried oracle H about (R, S, ID) for the first time. If H has never been queried about this value before, then make the query now. Next, start an independent execution from this point on, i.e., with the same adversarial view a b up to this point (including g , g ) but with independent choices in the sequel. In particular, DHunreg removes entries in LG and LH made after the rewind point. It replies to the oracle query (R, S, ID) to H with an independent value c0 and re-uses all pending values for each registration which has been started but not finished before the rewind point. Also, DHunreg renews the choice for index j.

0 0 0 0 • Eventually, DHunreg finishes the second execution, yielding a G-query (ID , pk , cert ,X ), or possibly the 0 0 0 0 0 ∗ output ⊥. If (ID, pk, cert) = (ID , pk , cert ) and if c 6= c , then look up the associated values u, u ∈ Zq 0 0 and output Y = ((X0)1/u X−1/u)1/(c −c). In the first execution, up to the point where A puts the first target query, the adversary’s views of cenc-ind-cpa experiment ExpCE,A,b (k) and of the simulation are the same, and j predicts the right target query with k probability 1/QG. Furthermore, the H-list becomes inconsistent with probability at most (QH + QR)QR/2 . Hence, in the first execution we obtain a valid target query for the i-th target and an unregistered key with probability at least   1 (QH + QR)QR · 1 − k ·  . QG 2 From now on we condition on this event. For the second execution, define the random variable RewPoint as the view of the adversary up to the query of (R, S, ID) to H, including the internal coins of A, all queries and answers to oracles, any input data including ga, gb and all transcripts. Call RewPoint good iff the probability that A queries G about the i-th target for unregistered key (R, S, ID) before asking about any other target, given the partial view RewPoint, is at least /2. Then a standard argument shows Pr[RewPoint good] ≥ /2. First note that the probability that the H-list becomes inconsistent in the second execution (because of k registration requests) is at most (QH + QR)QR/2 , too. To see this first note that deleting and reselecting H-values for the rewinding creates a consistent view, because the corresponding key (ID, (R,S), cert) is unreg- istered and therefore choosing H(ID,R,S) differently as c0 does not affect a pending value. Any other random collision in the H-list happens with the stated probability only. Given that RewPoint is good we again get a consistent simulation and target query in the second execution and another good value X0 for challenge c0 —where c0 6= c with probability at least 1 − 2−k— with probability at least     1 (QH + QR)QR 1  · 1 − k · 1 − k · . QG 2 2 2 The overall probability for the second execution is multiplied by the probability /2 of RewPoint being good. Given such two values X,X0 with associated values u, c, u0, c0 we have

0 1/(c0−c) 0 0 0 1/(c0−c) 0 0 Y = (X0)1/u X−1/u
= (RSZc )au /u (RSZc)−au/u
= Z(c −c)a/(c −c) = gab and therefore

1 3  (Q + Q )Q 2  1  AdvDH (k) ≥ · 1 − H R R · 1 − EG,DHunreg 2 k k QG 4 2 2 3 1  (QH + QR)QR + 1 ≥ 2 · − 2 k . QG 4 2QG · 2 Re-arranging the equations and putting them together shows security of the simplified scheme against chosen- plaintext attacks. To show security of the original scheme against chosen-ciphertext attacks we have to show

20 that decryption queries do not help the adversary and consider the role of F . Since this proof is very similar to the chosen-plaintext case we only sketch the necessary adaptations. pre k First, instead of bounding the probability of event TargetQueryb by (QG+QUE )QUE /2 here we now obtain k the bound (QG + QUE + QD)QUE /2 where we take also the at most QD implicit G-queries in decryption post post steps into account. For the bounds for Pr[∃i : TargetQueryb (i) ∧ RegKeyb(i)] and Pr[∃i : TargetQueryb (i) ∧ UnregKeyb(i)], we specify how algorithms DHreg and DHunreg simulate decryption queries in their emulations (with some small error). Then the bounds for the two cases follows as before. 2 k A preliminary observation is that, except with probability (QF + QUE + QD) /2 , the adversary in cenc-ind-cpa experiment ExpCE,A,b (k) here does not submit a valid query (ID, pk, cert, (A, B)) to the decryption oracle where A = Ai for some of the UE’s answer (Ai,Bi) for the same (ID, pk, cert). The case that A has been submitted before the challenge ciphertext is generated, is trivially covered by this probabil- ity, so we assume that Ai is created afterwards. Then, since decryption requests must be different from the challenge, on one hand B 6= Bi. With a = logg A = logg Ai = ai, on the other hand, it follows ci a ci ai B ⊕ G(ID, pk, cert, (RiSiZ ) ) 6= Bi ⊕ G(ID, pk, cert, (RiSiZ ) ) and therefore the validity check of the de- cryption process can only succeed if the distinct values collide under F . But this happens with the stated probability only. Next we explain how the simulators DHreg and DHunreg deal with decryption requests (without having to know secret keys). But before, we note that DHreg’s and DHunreg’s simulation of oracle UE remains a u t+k unchanged, i.e., by returning C = ((g ) ` , $`) for the `-th query where, this time, $` is sampled from {0, 1} . In particular, the simulators do not follow the prescribed method by computing a = F (ID, pk, cert, α||Mb). Decryption queries are simulated in the same way for both algorithms. Each simulator maintains another F -list to provide the oracle F , analogously to the the lists for G and H. We again presume that this list is consistent, and we also assume that no F -collisions occur (which happens with probability 2(QF + QUE + 2 k QD) /2 or twice this value, respectively, for the expected two executions DHunreg makes). When A submits a query (ID, pk, cert,C) for C = (A, B) to the universal decryption oracle the simulator verifies too that user ID is honest and that there is an entry (ID, pk, cert) in RegListPub. If not then the simulator answers with ⊥. So suppose in the sequel all decryption queries are valid. We distinguish between two cases for a value (ID, pk, cert, (A, B)) submitted to the decryption oracle, depending on the F -list: If there is an entry ((ID, pk, cert, α||M), a) in the F -list such that A = ga then the simulator checks that α||M = B ⊕ G(ID, pk, cert, (RSZc)a) for pk = (R,S) and c = H(R, S, ID) and, if so, returns M. If the equation does not hold then the simulator returns ⊥. Else, if there is no such query in the list then the simulator simply returns ⊥. Given that there is such an element in the list, it is unique by our assumption about collision-freeness of F and the simulated decryption generates the same output as the decryption oracle would. If there is no such element then the value A still uniquely determines a = logg A and therefore α||M = B ⊕ G(ID, pk, cert, (RSZc)a). The probability that F (ID, pk, cert, α||M) = a is, however, 1/q (because this entry is not in the list and the evaluation of F yields a random value in Zq). The probability k k that this happens for any of the QD many queries to DHreg is thus at most QD/2 (and 2QD/2 for DHunreg). A simple calculation now confirms the probabilities.

D Proof of Theorem 4.3

Consider an adversary A against TCS. We construct adversaries A1, A2 and A2 attacking DS such that

cs-uf uf-cma uf-cma uf-cma QR Adv (k) ≤ QR · Adv (k) + Adv (k) + QR · Adv (k) + . TCS,A DS,A1 DS,A2 DS,A3 2k and the theorem follows by the assumption that DS is a secure digital signature scheme. cs-uf In the following, we denote by RegKey the event that in experiment ExpTCS,A(k) adversary A outputs a valid forgery that is with respect to an identity and key that have been properly registered (i.e. case 1. in Definition 4.1), by UnregKey the event that A outputs a valid forgery with respect to an identity ID and a key pk such that the key pk has not been priorly registered for user ID (i.e. case 2. from Definition 4.1). Finally, we denote by CertForge the event that the forgery output by A is such that the public key pk has been registered for user ID, but it has also been registered for user ID0: that is the event described in case 3. of Definition 4.1 occurs, and the event described in case 2. of the same definition does not occur.

21 It is immediate that cs-uf AdvTCS,A(k) ≤ Pr [ RegKey ] + Pr [ UnregKey ] + Pr [ CertForge ] (1) and the theorem follows by bounding the terms on the right hand side. ∗ Adversary A1 is against the scheme DS, so it takes as input a public key pk and has access to a signing oracle S(sk∗, ·). Here, (pk∗, sk∗) is a pair of keys generated by running the key generation algorithm of DS on input I. Adversary A1 runs adversary A as a subroutine, and simulates for A its interaction in experiment cs-uf ExpA,TCS(k). In particular it plays the role of all honest parties, including that of the CA if it does not get corrupted by A. Adversary A1 starts its execution by selecting a random position i between 1 and QR and then starts execution adversary A. If A decides to corrupt the CA, A1 receives pkCA from A. Otherwise, A1 generates the key by itself, and in all future registration requests it plays the role of the CA. Adversary A1 handles all registration requests for honest users by playing their role (and that of the CA if the latter is not corrupted). The transcripts of the registration protocol are handed back to A. There is one ∗ exception: for the i’th registration request, the public key that is registered for user IDi is set to pk , i.e. the key that A1 has as input. Notice that A can sign the challenge message M of the CA by submitting message (0||M) to its oracle. Valid signature requests are answered as follows: all such requests other than for signatures by user IDi, are computed by A1 itself since it posses the appropriate signing keys. For a valid signature request ∗ $ ∗ (IDi, pk , certi,M) adversary A1 obtains σ by querying M to its own signature oracle, i.e. σ ← (sk , (1||M)). At some point A finishes its execution and outputs a forgery (ID, pk, cert, M, σ). If the forgery output by ∗ A is valid and pk = pk then A1 outputs (1||M, σ) as its own forgery. We now analyze the advantage of A1. The simulation of the environment of A is perfect, so, adversary A outputs a valid forgery (ID, pk, cert, M, σ) for the key pk registered by honest user ID with probability Pr [ RegKey ]. With probability 1 , adversary A had set this registered key to pk∗, so if this is the case, M, σ QR ∗ are such that V1(pk , 1||M, σ) = 1. Therefore, (1||M, σ) is a valid forgery for A1 provided that M has never ∗ been queried to signing oracle of A1. Such a query only occurs if A queries (IDi, pk , certi,M) to its signing oracle, but in this case (ID, pk, cert,M) is not a valid forgery for A. We conclude that: 1 Advds-uf (k) ≥ · Pr [ RegKey ] . (2) DS,A1 QR ∗ We now continue with the construction of A2. It takes as input a public key pk and has access to a signing ∗ ∗ ∗ ∗ ∗ $ k oracle S(sk , ·), with (pk , sk ) a pair of keys generated via (pk , sk ) ← SK(1 ). Adversary A3 executes adversary A as a subroutine and emulates its environment by intercepting and answering its queries. The simulation will be as if the secret key of the CA is sk∗, the key of the signing oracle of A, so if A requests to corrupt the CA then A3 aborts its execution. Otherwise, A2 will play the role of the CA in all future registration requests and the signatures of the CA are produced by queries to the oracle of A2. So, when A requires the registration of an (honest or corrupt) user IDl, A2 plays the role of the CA: if the user is corrupt it receives from A a public key pkl to be registered for IDl, otherwise it generates a pair (pkl, skl) by itself. Signatures of the CA needed in the registration process are obtained from the oracle of A2. Valid signature requests can be answered trivially by A2 since it possesses all secret keys of the honest users. When A outputs a forgery (ID, pk, cert, M, σ), adversary A2 outputs its attempted forgery ((ID, pk), cert). It is clear that the simulation that A2 provides to A is perfect. Assume that A produces a valid forgery (ID, pk, cert, M, σ). with respect to an unregistered key pk for user ID (notice that in this case adversary A is not allowed to corrupt the CA). This event happens with probability Pr [ UnregKey ]. We argue that in this ∗ case the forgery of A2 is valid. Indeed, we have that V1(pk , (ID, pk), cert) = 1 since (ID, pk, cert, M, σ) is a valid forgery for A. Moreover, the message (ID, pk) has not been queried to the signing oracle since such a request occurs only when the key pk is registered for identity ID. Therefore we have that: Advuf-cma(k) ≥ Pr [ UnregKey ] . (3) DS,A2

Finally, we construct adversary A3 against DS. It runs adversary A as a subroutine and wins against DS, ∗ whenever the event CertForge occurs in the execution of A. Algorithm A3 takes as input a public key pk and

22 has access to a signing oracle S(sk∗, ·) with (pk∗, sk∗) generated by the key generation algorithm of DS. It simulates the environment of A exactly as adversary A3 does. In particular it selects a random index i ∈ [QR], ∗ and registers pk as the public key of user IDi; notice that A3 can easily answer the challenge Mi sent by the CA during the registration protocol by submitting 0||M to its signing oracle. Following this execution, for the rest of registration requests, adversary A3 tracks the key pkl that each user IDl attempts to register. If the ∗ execution of the protocol was successful and pkl = pk then let Ml be the challenge message sent by the CA to IDl and σl the signature that is returned. Then adversary A3 outputs as its attempted forgery message (0||Ml, σl). The success probability of A3 is as follows: if event CertForge occurs in the execution of A, then there exist two indices l0 and l1 such that the same key pk is registered for both identities IDl0 and IDl1 , and with the registration of IDl0 taking place before that of IDl1 . With probability 1/QR, the index i selected by A3 equals ∗ l0 and therefore with this probability the key registered for these two identities is pk . Since the registration ∗ of IDl1 is successful, signature σl is a valid signature with respect to pk on message 0||Ml1 . This is a valid forger if this message has not been queried to the oracle of A3. However, the only other message of the form 1 0||M that is queried to the oracle is 0||Ml0 , and the two messages are equal only with probability 2k . We therefore have that: 1 1 Advuf-cma ≥ · Pr [ CertForge ] − DS,A3 k QR 2 The desired result follows by putting together the above inequalities.

E Discrete Logarithm Assumption and Proof of Theorem 4.5

Discrete Logarithm Assumption. We say that the parameter generator SG in Construction 4.4 generates DL-secure groups if for any expected polynomial-time algorithm A the following is negligible in k:

DL h $ k $ a i AdvSG,A(k) = Pr (G, q, g, G, H) ← SG(1 ); a ← Zq : A(G, q, g, g ) = a ,

Proof of Theorem 4.5 We prove our theorem by showing that there exist adversaries B1 and B2 for solving the discrete logarithm problem such that:

Q (Q + Q ) + Q (Q + Q ) + 1 Advcs-uf (k) ≤Q2 · AdvDL (k) + Q2 · S S G R R H + CS,A G SG,B1 G 2k ( 1 )  4  3  3 Q (Q + Q ) + 1 + Q2 Q2 · AdvDL (k) + AdvDL (k) + + 2 · R R H G H SG,B2 2 2 SG,B2 k k QGQH 2 2

We denote by RegKey the event that A outputs a valid forgery that contains the key registered by some honest user. Notice that we do not require that the identity in the forgery be the one for which the key was registered. We denote by UnregKey the event that A outputs a valid forgery with respect to an unregistered key. Clearly,

cs-uf AdvCS,A(k) = Pr [ RegKey ] + Pr [ UnregKey ] . We complete the proof by bounding the terms on the right hand side using the advantage of two adversaries B1 and B2 in computing discrete logarithms. s Algorithm B1 takes as input a description of a group (G, q, g) and a challenge S = g with s selected at random in Zq. It runs a black-box simulation of A’s attack and uses well-known rewinding techniques to extract the discrete log of S. It operates as follows:

$ • B1 selects a random index i ← [QG], where QG is the maximal number of queries that A makes to oracle cs-uf G in the experiment ExpCS,A(k). B1 sets the initial parameters to (G, q, g, G, H), where G and H are random oracles that B1 simulates for A as usual by maintaining two lists LG,LH . B1 runs attacker A as a cs-uf subroutine, by mimicking its environment in experiment ExpCS,A(k). If adversary A requests to corrupt the CA then A provides pkCA and plays the role of the CA in all executions of the registration protocol.

23 z $ If the CA stays honest, then B1 generates pkCA = g with z ← Zq and plays the role of the CA in all executions of the registration protocol. • When the adversary makes its l’th registration query for honest identity IDl, B1 runs the protocol on behalf $ of the honest party as follows. First, it receives a message Rl from the CA. Chooses random cl, tl ← Zq c −1 t and sets: Sl = (RlZ l ) S l and adds ((IDl,Rl,Sl), cl) to the list LH . It then sends Sl to A and obtains in return yl. The public key of IDl is set to (Rl,Sl). • When adversary makes a valid signature query (ID, (R,S), cert,M), i.e. (ID,R,S) = (IDl,Rl,Sl) that occurred in the registration of IDl, B1 computes a valid signature on M as follows: it selects at random c −d d ∈ Zq, selects at random B ∈ G and computes A = B(RSZ ) and c = H(R, S, ID). Then it adds the pair ((ID, A, M), d) to the list LG (i.e. it sets G(ID, A, M) = d) and returns to A the signature (A, B). • At some point, adversary A stops and outputs a forgery of the form: (ID, (R,S), , M, (A, B)). If (R,S) 6= (Rl,Sl) for some Rl,Sl that occurred during the registration of identity IDl, then B1 aborts its execution. If message (ID, A, M) is not the i’th query of A to oracle G or lists LG,LH are inconsistent then B1 also aborts. Otherwise: • It rewinds the execution of A up to the point where it had queried the message (ID,A||M) to the oracle G (if this query did not occur, then B1 makes it now). Let d1 be the response that B1 returned to A $ during the first execution. Adversary B1 selects a new value d2 ← Zq, returns d2 to A and continues the execution from this point on. If A outputs another forgery (ID0, (R0,S0), , M 0, (A0,B0)) such that 0 0 0 0 0 (ID ,R ,S ,M ,A ) = (ID, R, S, M, A) and the lists LH ,LG are still consistent, then adversary B1 terminates 0 −1 the entire execution and outputs s = (B − B )(tld1 − tld2) if d1 6= d2. Otherwise repeat this last step.

First we argue that if the execution of B1 enters the loop and finishes for d1 6= d2, then the output of B1 is log S. Indeed, at the end of the execution B1 has obtained two valid forgeries with respect to some identity ID, public key (Rl,Sl) registered during the execution some message and some message M. Since the signatures are both valid, we have that:

0 B H(ID,Rl,Sl) d1 B H(ID,Rl,Sl) d2 g = A(RlSlZ ) and g = A(RlSlZ )

H(ID ,R ,S ) −1 t s 0 where, by construction, Sl = (RlZ l l l ) g l . It follows that B = log A + tlsd1 and B = log A + tlsd2 and the conclusion follows by simple algebraic manipulation. It follows from standard considerations that B1 makes two executions of A on the average. We now compute the success probability of B1. A simple counting argument shows that there exists some index i0 ∈ [QG] such 1 that Pr [ RegKey(i0)] ≥ ·Pr [ RegKey ]. From now on we condition on the event that B1’s guess i equals this QG index i0. This happens with probability 1/QG. Under this condition i = i0, if we start looping then we always k obtain a second forgery, and with probability at least 1 − 1/2 this will be for d1 6= d2. Since the probability of a success in the first execution and therefore of running the rewind strategy is given by the probability of RegKey(i0) minus the probability for inconsistent lists LG,LH , we get:

1 1 Q (Q + Q ) Q (Q + Q ) AdvDL (k) ≥ · Pr [ RegKey(i )] − − S S G − R R H . SG,B1 0 k k k QG 2 2 2 and Q (Q + Q ) + Q (Q + Q ) + 1 Pr [ RegKey ] ≤ Q2 · AdvDL (k) + Q2 · S S G R R H . G SG,B1 G 2k cs-uf We now bound the probability Pr [ UnregKey ] that during experiment ExpCS,A(k) adversary A outputs a valid forgery with respect to a key that has not been already registered. We show how to use A to build an adversary B2 that solves the discrete logarithm problem. z Adversary B2 takes as input a description of a group (G, q, g) and a challenge Z = g with z selected at random in Zq. It runs adversary A as a subroutine, performing several rewindings of its execution. Roughly, our goal is to find the discrete logarithm of Z from the verification equation gB = A(RSZc)d. Unlike in the previous case the key R,S is not registered here, and it is likely that d depends on c (if not, extraction becomes much easier). Hence, we have to use nested rewindings, where we use the same extraction strategy −B c d as for B1 for the inner loop to extract the logarithm of A = g (RSZ ) by getting two forgeries for different d-challenges. Each time this terminates in a constant number of repetitions on the average, and the overall

24 running time of B2 therefore follows analogously as for B1. We next try to do this extraction twice for different c-challenges such that for each of these two solutions we can “peel off” the outer d-layer to solve for Z. We only repeat the outer loop twice in order to not run into trouble with the expected running times, but at the cost of decreasing our success probability. We now give an description of how adversary B2 simulates the environment of A without the rewindings; the rewinding strategy follows the strategy we outlined above.

$ $ • B2 selects at random two indices i ← [QG] and j ← [QH ]. B2 sets the initial parameters to (G, q, g, G, H) where G and H are oracles that B2 simulates as usual by maintaining two lists LG,LH . In particular, we k denote by αH ≤ QR(QR + QH )/2 the probability of getting an inconsistent list LH during one execution. • Adversary B2 simulates attacks of A against an instantiation of CS in which pkCA, the public key of the CA, is set to Z (the challenge that B2 has as input). If A decides to corrupt the CA then the B1 aborts its execution. $ • When adversary A makes its l’th registration query for honest identity IDl, algorithm B2 selects sl, cl, yl ← y −c Zq. It then computes Rl = g Z l , adds the pair ((Rl,Sl, IDl), cl) to the list LH and then hands Rl, (Rl, yl) to the adversary as transcript of the registration it required; If the identity IDl is corrupted, adversary B2 proceeds as above, with the only difference that Sl is obtained from the adversary; • When adversary A makes a valid signature request (ID, pk, cert,M), the adversary simply computes the signature since it knows the secret keys of all honest users. This particularly implies that the G-list LG never becomes inconsistent.

As explained above, we omit a formal description of how B2 rewinds the executions. Eventually, B2 either aborts prematurely or gets four forgeries (IDi, (Ri,Si), , M i, (Ai,Bi)), for i = 1, 2, 3, 4 such that ID1 = ID2 = ID3 = ID4, R1 = R2 = R3 = R4, S1 = S2 = S3 = S4, A1 = A2 and A3 = A4, which satisfy the equations:

1 1 1 1 2 2 2 2 B = log A + (log S + log R + c1z) · d1 ; B = log A + (log S + log R + c1z) · d2 3 3 3 3 4 4 4 4 B = log A + (log S + log R + c2z) · d3 ; B = log A + (log S + log R + c2z) · d4

for c1 6= c2, d1 6= d2, d3 6= d4. A simple calculation shows that this yields z = log Z. In the following, we denote by UnregKey(i, j, G) the event that A outputs a valid forgery with respect to (i, j) and the ith query to G is made before the jth query to H. Also, by UnregKey(i, j, H) denotes the event that A outputs a valid forgery with respect to (i, j), and the jth query to H is made before the jth query to G. So, for any (i, j) ∈ [QG] × [QH ] we have that: Pr [ UnregKey(i, j) ] = Pr [ UnregKey(i, j, G) ] + Pr [ UnregKey(i, j, H)] .

It is easy to see that there exists a pair of indices (i0, j0) ∈ [QG] × [QH ] such that: 1 Pr [ UnregKey(i0, j0,G) ] + Pr [ UnregKey(i0, j0,H)] ≥ · Pr [ UnregKey ] (4) QG · QH 1 Suppose that the choice (i, j) of B2 coincides with (i0, j0) as above. This occurs with probability . QGQH We sketch the two possibilities how B2 finds the discrete logarithm of z. First, if A makes the i-th query to G before the j-th query to H, i.e., the value d is the same for both challenges c1 6= c2, then B2 gets two equations 1 2 gB = A(RSZc1 )d = A(RS)dZdc1 and gB = A(RSZc2 )d = A(RS)dZdc2

from which B2 can easily compute z. This succeeds for different challenges c1 6= c2 and a consistent list LH 1 1 and thus with probability at least · Pr [ UnregKey(i0, j0,G)] − k − αH . QG·QH 2 The other possibility is that A makes the i-th query to G after the j-th query to H. For i, j let (i, j) = Pr [ UnregKey(i, j, H)]−αH bound the probability that the first execution of A as a subroutine of B ends with a valid forgery with respect to (i, j), query j to H is made before query i to G and adversary B2 does not abort due to an inconsistency in the list LH . The analysis here is very similar to the case of the ElGamal-based encryption where we also used two rewinding executions to extract the Diffie-Hellman solution (only here we have nested another rewinding inside). It analogously follows that B2 succeeds in finding solutions for different 1 3 3 challenges c1 6= c2, d1 6= d2, d3 6= d4 with probability at least · (i0, j0) − k . Given that, B2 can 4QGQH 2 derive z as described above.

25 Since adversary B succeeds when either case above occurs we have that AdvDL (k) is a greater than 2 SG,B2 both success probabilities. From Equation (4) we thus conclude that Pr [ UnregKey ] is bounded by

( 1 ) 1  4  3  3  1  Q2 Q2 · AdvDL (k) + + AdvDL (k) + + 1 + · α G H SG,B2 k 2 2 SG,B2 k H 2 QGQH 2 QGQH

Using the bounds on Pr [ RegKey ] and Pr [ UnregKey ] the desired result follows.

26